Srsly Risky Biz: The four hour cyber war on Iran - Risky Bulletin

Summary7 min read

Risky Bulletin: Srsly Risky Biz – The Four Hour Cyber War on Iran

Podcast: Risky Bulletin (Risky Business Media)
Date: March 5, 2026
Host: Amberly Jack
Guest: Tom Uran (Policy and Intelligence Editor)

Episode Overview

This episode dives into the pivotal role of cyber operations in the recent military strikes on Iran, marking the first time such tactics have been publicly acknowledged in real-world conflict. The discussion centers on the short but intense window where cyber played a decisive role, the orchestration required for successful digital operations in warfare, and the psychological/information aspects targeting both leadership and the wider public. The latter half explores evolving cyber threats fostered by AI, highlighting how adversaries and defenders alike are adapting at speed, but not necessarily changing the fundamentals of the threat landscape.

1. Cyber's Role in the Iran Conflict

Immediate and Public Cyber Operations

Key Point: Israel’s cyber penetration of Iranian infrastructure was central to the initial attacks—details immediately acknowledged by official sources and the media, which is a novel level of transparency for cyber in kinetic conflict.
Quote:
- “This is sort of the first time that there has been an immediate and public acknowledgement and quite a detailed one about cyber's role in military conflict.” (A, 00:38)

Intelligence Gathering and Attack Orchestration

Israel extensively compromised Tehran’s mobile networks and gained access to nearly every traffic camera, enabling them to track patterns of life and confirm intelligence in real time.
Quote:
- “They go straight to having access to almost every traffic camera in Tehran... both mobile phones and traffic cameras are complementary... that real time intelligence was used to confirm that, yes, this meeting is actually going ahead.” (B, 01:11)
The operation targeted a meeting of senior leadership, aiming for decapitation—enabled by a mix of human intel and cyber for confirmation and support.
Quote:
- "A strike to try and kill a whole swathe of senior leadership all at once. And that I believe was humint, or they say it's humint, but the traffic cameras and the mobile phones, that real time intelligence was used to confirm..." (B, 01:41)

Disruption of Iranian Communications

Mobile towers were manipulated to prevent warning messages from reaching the protection detail around Khamenei’s compound.
Quote:
- “The mobile towers in the vicinity of the compound were diddled with somehow so that warning messages could not get through to Khamenei’s protection detail. So that is a really nice orchestration of different cyber capabilities…” (B, 02:39)

Importance of Preparation

Operations like this require months to years of groundwork. Israel’s efforts were described as a multi-decade priority.
Quote:
- “This is a classic example of doing long term groundwork ... The Financial Times talks about Iran being a priority for Israel for 20 years.” (B, 04:05)

2. Psychological and Informational Campaigns

Use of Popular Apps for Influence

A widely-used Iranian prayer app was co-opted to send anti-regime messages immediately following the attack, encouraging dissent and targeting military personnel.
Quote:
- “It started to push out messages ... encouraging people to resist the regime. There's messages particularly aimed at military people... psychological warfare.” (B, 04:45–05:59)
Unclear impact, but possible intelligence value from collected location data.

3. The Four-Hour Cyber War: The Short Window

Iran Shuts Down the Internet

Within four hours, Iran cut off national internet access—a drastic but anticipated defensive response.
Quote:
- “Iran actually turned off the Internet for the entire country a couple of hours later. So that's where the short window of opportunity comes in.” (A, 07:59)
- “This is like so far the biggest example of cyber overmatch... it seems like they're totally owned... And the more that you get totally owned and controlled by cyber means, the more likely it is that the victim government... will just pull the switch and turn off the Internet.” (B, 08:11)
Such abrupt actions are less likely in an evenly-matched conflict, but the initial cyber “overmatch” incentivizes rapid, blunt countermeasures.
Quote:
- “I think that there is a dynamic where if you're being pummeled in cyberspace, there are things you can do like cutting off access and switching off the Internet... There could well be a sort of self limiting dynamic where at the beginning of a conflict you can kick some goals because no one's prepared, you’ve had time to line it up, they haven't had time to respond...” (B, 09:32)

Key Insight

The effectiveness of cyber ops is transient; adversaries will ultimately react, closing the window. Preparation and surprise are key.
Quote:
- “You've got time and space to plan, that's the best time to use cyber operations... They can be executed very quickly, it takes a long time to plan them... and it's really bringing the pieces together for that moment now.” (B, 02:37, 04:45)

4. AI and the Shifting Threat Landscape

Speed, Not Novelty

AI is accelerating the pace and efficiency of cybercrime, especially in phishing and social engineering, but not introducing truly new forms of attack.
Quote:
- “It’s like the ocean is rising. It's still the same ocean. You're just underwater now.” (B, 11:58)
- “The take home message was things are a lot faster, but they're not doing totally new and different things... it's the same stuff, just more of it and faster.” (B, 11:58)

AI-Enhanced Phishing and Targeting

Attackers use large language models to polish their phishing lures, tailor tone, and produce realistic fake assets (e.g. legal documents).
Segmentation allows for highly specific, believable targeting.
Quote:
- “One of the examples in an OpenAI report was that there was a group that was pretending to be lawyers and legal professionals... but they were using an LLM to say, use language, lawyer speak to, to reach out to these people.” (B, 12:25)
- “Increasing... market segmentation for criminals and that they're targeting narrower and narrower slices.” (B, 14:33)
Typos and bad grammar are no longer reliable signals to users.
Quote:
- “That advice that… if your bank doesn’t know how to spell, it’s probably not your bank is maybe not so accurate anymore.” (A, 14:02)
- “That’s all gone out the window. Like there’s AI will get those things right.” (B, 14:15)

Democratization of Advanced Attacks

Prototyping sophisticated spear phishing via AI is now fast and accessible, lowering the barrier for less-resourced attackers.
Quote:
- “Trend Micro prototyped LinkedIn... targeted phishing message machine... in a day ... that type of campaign within the reach of less sophisticated groups.” (B, 16:18)

5. Implications for Security Defenders

Defenders Must Adapt Faster

Defenders need to adopt AI themselves and automate practices, but ultimately must have strong security hygiene in place in advance.
Quote:
- “I think AI will also help defenders be faster and quicker and respond better.” (B, 17:31)
Defensive success depends on preparation, not just automated machine response.
Quote:
- “If you're relying on machines to do things to protect you, like it's too late in a sense... you can't rely on a machine to go, oh, there's a new attack, let me do everything right now.” (B, 18:23)
The ‘security equilibrium’ will settle at a new, higher pace—accepting some degree of loss.
Quote:
- “There'll be bad consequences for business and that'll justify ramp up in security... and then that ramp up will reach that equilibrium again where people are... happy. There's an acceptable amount of loss, damage, scamming the business can wear...” (B, 19:15)

Notable Quotes & Moments

On cyber's fleeting advantage: “Here for a good time, not for a long time.” (B, 01:11)
On digital overmatch: “It's, you know, it seems like they're totally owned, like, you know, traffic cameras, prayer apps, mobile networks.” (B, 08:11)
On defender strategy: “Learn to swim very fast.” (B, 11:58)

Timestamps for Major Segments

[00:38–04:45] — How Israeli cyber operations shaped the timing and execution of military strikes
[04:45–07:59] — Cyber-enabled influence and psychological operations in Iran
[07:59–09:08] — Iran’s national internet shutdown: the cyber “window of opportunity” closes
[09:08–11:32] — Parallels with China, escalation, and limits of cyber in conflict
[11:32–18:12] — The impact of AI on cybercrime speed, phishing sophistication, and segmentation
[18:12–20:25] — Defending in the AI era: new equilibrium, defender strategies, and consequences

Summary:
This episode illuminates how deeply cyber operations can shape—and limit—the outcomes and tempo of modern conflicts, as demonstrated in the Iran strikes. It also maps out the new normal for defenders: a world moving faster, where preparation and automation are essential, conventional wisdoms about threat detection are obsolete, and the line between offense and defense is rapidly shifting thanks to AI-enhanced tactics.

Loading summary

Transcript32 lines

[00:05]
A
Hey everyone and welcome along to Seriously Rescue Biz. This is our podcast here, all about cyber security policy and intelligence. My name's Amberly Jack and very shortly I'll bring in Tom Uran, our policy and intelligence editor and we're going to have a chat about the Seriously Risky Business newsletter that Tom has written this week. You can of course read that and subscribe over at our website, Risky Biz. But first I would like to thank our sponsor for this week's show, which is a cloud based identity and Access Management Platform, Okta. And you can find them@okta.com G', Day, Tom. It's great to see you.
[00:37]
B
G', day, Amberly. How are you?
[00:38]
A
Really good, thanks, Tom and I want to jump straight in and talk about the war in Iran and in particular given the subject matter of this podcast, cyber's role in recent strikes. Now, first up, this is sort of the first time that there has been a immediate and a public acknowledgement and quite a detailed one about cyber's role in military conflict. But what sort of stood out to you, Tom, was that there is really quite a short window of opportunity for cyber when it, when it comes to conflict. So tell me a little bit more about that.
[01:12]
B
Yeah, so here for a good time, not for a long time. So the Financial Times has a really interesting piece that talks about how much intelligence Israel was collecting in Tehran in particular. So they kind of skip over the deeply penetrated mobile networks, which I thought was like extremely significant, but they go straight to having access to almost every traffic camera in Tehran. Now, if you're building pattern of life, which is where people go when they go there, what's their weekly daily monthly routine? That's tremendously useful. I think both mobile phones and the traffic cameras are like complementary and the story is that the US learnt that senior leader Ali Khamenei was going to have a meeting with senior officials on Saturday, Saturday when the war started. And that was the meeting that enabled essentially a decapitation strike. A strike to try and kill a whole swathe of senior leadership all at once. And that I believe was humint, or they say it's humint, but the traffic cameras and the mobile phones, that real time intelligence was used to confirm that, yes, this meeting is actually going ahead. It appears that these people are congregating at his compound. Yeah.
[02:38]
A
Wow.
[02:39]
B
There's another piece where it says, another piece of. In the report which says that the mobile towers in the vicinity of the compound was, were diddled with somehow so that warning messages could not get through to Koini's protection detail. So that is a really nice orchestration of different cyber capabilities to bring them together to achieve a surprise attack. So on between two nodes. The Gruk and I have often spoken about how when you've got time and space to plan, that's the best time to use cyber operations to try and achieve something militarily. Because although they can be executed very quickly, it takes a long time to plan them and to get all the ducks in a row. So this is a classic example of doing long term groundwork to be in a position to enable yourself to do this.
[03:42]
A
I mean, you and I were sort of talking about this as we were going over the newsletter as well, and you sort of said it was, it was these operations that almost look like they dictated the timing of the start of the war. And as you said, they wouldn't, you know, if they didn't have these cyber operations, they would have found another way to do it, but it just kind of drives home how important they were in this conflict.
[04:06]
B
Yeah, yeah, yeah. So I think if you imagine that cyber espionage doesn't exist, they would have invested in like, you know, people sitting on corners with phones and binoculars or something like that. There are alternatives, but once you've spent the time and effort, it just makes it easier. It's a thing that you can use for many different purposes. It can be almost ubiquitous throughout the city. Most cities have lots of security cameras all over the place. It wasn't, this is a six month thing, this is a year thing. The Financial Times talks about Iran being a priority for Israel for 20 years.
[04:44]
A
Wow. Yeah.
[04:45]
B
And so the, that's something that builds over time and it's really bringing the pieces together for that moment now. So that was basically the very start of the war. The other interesting thing is that there's a particular prayer app. And so this feels almost from the lethal to the mundane. So there's a particular prayer app, it's very popular in Iran. It's used by religious people. Probably quite a few regime people use it. And pretty much immediately after that strike, it started to push out messages in support or against the regime, encouraging people to resist the regime. There's messages particularly aimed at military people. You know, lay down your arms if you want to support your Iranian brothers and sisters. You know, the only way up for you is to resist the regime. Now that seems somewhat, it's unclear at all what effect that would have. Like if you were presenting it to a military leader, you would say you would call it psychological warfare. But I mean, they're pushing push messages to mobile phones.
[05:59]
A
Yeah.
[06:01]
B
Now the, you can imagine that if it was part of a very large campaign, like everything else is falling over all at once, maybe that has some resonance. Like, you know, the Israelis are everywhere, they've got everything. There's a story from David Sanger in his book the Perfect Weapon, he talks about what was called Olympic Games and he claimed that there was a U.S. ability to disrupt many different critical infrastructure parts in Iran using cyber operations. So that doesn't seem to have happened. There is a report in the Jerusalem Post which said a lot of things have stopped working all across the country, but it's not, I've not found it backed up anywhere in less partisan media outlets. So for Iran International, which is an English language based publication that focuses on Iran, doesn't mention at all and it's not supportive of the regime. So if it had happened, I think there's a good chance it would have reported it. But in this context it seems like just having the prayer app push out messages without other supporting actions doesn't seem like would it amount to much. But I kind of think that the app collected location data as well. So it would tell you prayer times to know what the right prayer time was. Maybe it's helpful to have location and you can imagine that would be like perfect material to feed into an intelligence collection machine. It could help all sorts with all sorts of different correlations, where people go, when, etc. Etc. So I feel like at the point you're launching a war, it's like, well, we may as well send out a few messages. You know, if they land, that's great. If they don't, well, you know, we've escalated to the highest point.
[08:00]
A
And Tom, all this kind of happened within a couple of hours of the war starting and Iran actually turned off the Internet for the entire country a couple of hours later. So that's where the short window of opportunity comes in.
[08:12]
B
Yeah, yeah, that's right. So we've not seen this before and I guess this is like so far the biggest example of cyber overmatch. I guess like compared to the ability of Israel and the US to compromise Iran, it's, you know, it seems like they're totally owned, like, you know, traffic cameras, prayer apps, mobile networks, and I think probably a lot more was compromised. And the more that you get totally owned and controlled by cyber means, the more likely it is that the victim government, the regime is likely to just pull the switch and turn off the Internet. So they did that within four hours. I really doubt that it was because they thought, oh, we're being, we're being beaten up in the cybers, we've got to turn off the Internet. I think that's just their default response when there's the possibility of domestic unrest.
[09:08]
A
And just on that, I mean, you sort of say this is their default response. So if this wasn't US Israel against Iran, if it was, I don't know, US against China like we were talking about before, do you think there would be that same small window of opportunity? Do you think the response would be quite as
[09:28]
B
drastic?
[09:29]
A
Drastic?
[09:32]
B
I think that when the, this is a particular case. Right. So it's clear that the Iranian domestic networks were compromised, many of them, and so the gains they got from shutting off the Internet like they serve multiple purposes as well. Now, I think in a more even match, it's more likely that the cyber wins are not so overwhelming that you would take such drastic action. But I think that there is a dynamic where if you're being pummeled in cyberspace, there are things you can do like cutting off access and switching off the Internet and firewalling things and turning particular links off. So it feels to me like this illustrates that there could well be a sort of self limiting dynamic where at the beginning of a conflict you can kick some goals because no one's prepared, you've had time to line it up, they haven't had time to respond, you know what you're doing and you've got the element of surprise as that goes on. I think that the reaction, because in effect, like Iran controls its own cyberspace, at least in the sense of having an on, off switch. And you know, so the more effective those cyber operations are, the more likely is that the, the country on the receiving end will do something drastic to stop them. So it feels like there's a, maybe an equilibrium or a point where you can only get so much success before it must stop. And I think when the adversaries are more equally matched, it's more likely that everyone will just stumble along. But I still think that first dynamic of you need time and space to plan makes it more difficult to have really impactful operations.
[11:32]
A
I want to move on, Tom, to AI, the second piece in your newsletter today and AI's impact on the threat landscape. There have been a bunch of reports come out from a number of different security companies and the big takeaway that you have here, Tom, is that AI isn't necessarily making things better or new, but just a whole lot faster, which is kind of good news. For defenders,
[11:58]
B
it's like the ocean is rising. It's still the same ocean. You're just underwater now. Yeah. So I'm a very positive person. Amberly learn to swim very fast. So every single security roundup report, they've got AI sprinkled everywhere through it. And the take home message was things are a lot faster, but they're not doing totally new and different things. So AI doesn't create a magic bullet that somehow will overwhelm defenders. It's the same stuff, just more of it and faster. And I think one example which is particularly concerning is when it comes to phishing. So the threat actors, cyber criminals, espionage actors, they're using LLMs and generative AI to sort of reinforce the bona fides to appear more authentic. They're coming up with, they might generate a whole lot of digital assets like images for a website that look good. They would use a language model to adjust the tone and the way that they speak, make sure that it sounds authentic to what they're purporting to be. So one of the examples in an OpenAI report was that there was a group that was pretending to be lawyers and legal professionals. Yeah. And I think their native language was non English, but they were using an LLM to say, you know, make me appear, use language, lawyer speak to, to reach out to these people. And so they had the messages, the content of the messages already. They weren't relying on AI to come up with totally new messages to scam people, but they were making it appear correct for a lawyer or a law enforcement professional. Use the right sort of language.
[14:02]
A
Yeah. So what I'm kind of hearing, Tom, is that the advice that we've been giving our parents for years and years, that if your bank doesn't know how to spell, it's probably not your bank is maybe not so accurate anymore.
[14:15]
B
Yeah. So there was a sideline, probably still is, in phishing training, where you were told to look out for typos and language that didn't quite sound right and images that not were not quite right. I think that's all gone out the window. Like there's AI will get those things right.
[14:33]
A
Yeah.
[14:34]
B
There's also in a lot of the reports increasing, I guess you might call it, market segmentation for criminals and that they're targeting narrower and narrower Slices. So like one OpenAI, the OpenAI report talked about, you know, men in their American, men in their 40s who are in the medical profession who like to talk about golf online. So it's not this broad brush we'll try and reel in anyone. It's targeted at particular individuals. Another was wealthy Indonesian men who liked particular luxury items or luxury hobbies. And so I think appealing to a particular market, market segment is probably likely to be more effective because you can hone in your message. Interestingly, those campaigns, again, the LLMs were not used to create the messages like these. Scammers have playbooks that they've, that are trialled and tested. They're empirically determined over years. You know, this is what works, this works better than that. But they were used to get the language right and for translation. And there's another example. Trend micro prototyped LinkedIn, LinkedIn to targeted phishing message machine. And they prototype that in a day. So I've not heard of real threat actors doing that, but it's just a matter of time so that they'll be able to take people. It really lowers the bar for that kind of targeted high value phishing campaign where you do spear phishing campaign where you do a lot of open source research to try and get everything right in the hope of getting a big payoff. So that used to be like business email compromise, target against chief officers, you know, CEOs, CEOs, CFOs, that kind of thing. And that brings that type of campaign within the reach of less sophisticated groups. And also they can probably use it against what I would call like low value targets. If you're a CEO, you probably, you should know that you're a potential target of this and you should be taking countermeasures and you should be telling your team like, you know, these are the countermeasures we're taking. You should have policies about that. But I think that there are a lot of low value targets where like that doesn't really make sense. And so I think there's a lot more people susceptible to that kind of thing.
[17:19]
A
So if everything's kind of getting easier and faster thanks to AI, what, what's the answer for defenders here? I mean, learn how to swim very fast like we said. But what does that involve, Tom?
[17:32]
B
A bit like an equilibrium where, you know, attackers could devote a certain amount of effort and defenders could devote a certain amount of effort and you reached an equilibrium you were comfortable with. It wasn't perfect, but that was an acceptable level of fraud or loss or compromise, whatever. And I think that AI sort of shifted the criminal or threat actor point higher. So you need to respond in kind. Now. I think AI will also help defenders be faster and quicker and respond better.
[18:12]
A
I was going to say, I Mean, you know, back in the day it used to be very smart attackers against very smart defenders. Is it now just very fast machines against very fast machines?
[18:23]
B
Like, I think there's, if you're relying on machines to do things to protect you, like it's too late in a sense. Like you've got to get things in place, you've got to set up your defenses beforehand. So yes, machines will respond in machine time, but you've got to have the policies and procedures and what they're actually doing ready beforehand. You can't rely on a machine to go, oh, there's a new attack, let me do everything right now. You've got to have it in place and tell it. Many of the things are just standard cyber hygiene. So I guess the things that you used to do, you need to do more of them and maybe an AI technology can help you do that. I think part of the problem is that threat actors can very quickly prototype what are we going to do and they can tell if it works straight away. I think within larger organizations and real businesses there's a lot of dependencies that make it harder to get things done because there's so many. The business relies on so many different things so that security sometimes can be a stopper. Stopper, I don't like that word. But it can slow things down. And so you're always internally fighting a battle about the reason why we need more security. So, you know, the, the pessimistic part in me says, well, what's going to happen is everyone is going to get owned. There'll be bad consequences for business and that'll justify ramp up in security eff and then that ramp up will reach that equilibrium again where people are air quotes happy. There's an acceptable amount of loss, damage, scamming the business can wear or is reasonable, I don't know.
[20:17]
A
So it's not like you to have a pessimistic side, Tom.
[20:22]
B
Well, I mean, I think it's good for the newsletter.
[20:25]
A
Hey look, we're going to leave it there, but thank you so much for joining me yet again. You can of course read and subscribe, subscribe to Tom's newsletter over at our website, Risky Biz. But Tom, always great to chat and look forward to doing it again next week.
[20:38]
B
Thanks Amberly.